Pre-Recruitment Virtual Training

TOPIC: API DEVELOPMENT & DATA CENTRE

OPERATIONS
Session Overview

Duration: 60 Minutes
0-10 min: Introduction
10-20 min: Core Concepts Presentation
20-60 min: Interactive MCQ Quiz-based Learning

Classification: Internal
Introduction to API Development
API stands for Application
Programming Interface. API is a set
of protocols, routines, and tools
that allows different software
applications to communicate with
each other. In banking, APIs enable
secure integration between core
banking systems, mobile apps,
third-party services, and payment
gateways.
Types of API

API Types by Release Policies

API Architecture and API lifecycle

API (Application Programming Interface) architecture refers to the design and structure of an API, including
how it is organized, the interfaces it exposes, and the protocols it uses to communicate with other systems.

The API lifecycle refers to the different stages of development and operation that an API goes through, from
its initial design to its retirement. Here are some key components of API architecture and the API lifecycle:

1. API endpoints: An API endpoint is a specific URL that is used to access an API and perform a specific action,
such as retrieving data or updating a database. API endpoints are typically organized into logical groups,
such as by resource type or functionality.

2. API protocols: An API protocol is the set of rules and standards that are used to communicate between
systems.

Common API protocols include HTTP, HTTPS, and WebSocket.

3. API authentication: API authentication refers to the process of verifying the identity of a user or system
that is accessing an API. This is typically achieved through the use of credentials, such as a username and
password, or tokens, such as OAuth tokens.

4. API documentation: API documentation is a set of resources, such as code samples and user guides, that
provide information about how to use an API. This can include details on the available API endpoints, the input
and output formats, and any error handling mechanisms.

5. API testing: API testing is the process of verifying that an API is functioning correctly and meeting the
functional requirements set out in the API.
API Lifecycle

Classification: Internal
API Security Essentials
API Authentication Methods
API Authentication Methods

API (Application Programming Interface) authentication is the process of verifying the identity of
a client that is requesting access to an API. There are several different authentication methods
that can be used to authenticate clients, including:
OAuth: OAuth (Open Authorization) is an open standard for authorization that allows users to
grant third-party applications access to their data without sharing their passwords. OAuth is
commonly used to enable users to grant access to their social media accounts or other online
accounts.
JWT: JWT (JSON Web Token) is a standard for representing claims securely between two parties.
JWTs are often used as a means of authenticating API requests, as they can be signed and verified
using a secret key.
Basic authentication: Basic authentication is a simple authentication method in which a client
sends a username and password with each request to an API. The API verifies the credentials and
grants access if they are valid.
API keys: API keys are unique identifiers that are issued to clients that want to access an API. The
API checks the API key with each request to verify the identity of the client.
API Authorization and Permissions

API (Application Programming Interface) authorization is the process of granting or denying access to an
API based on the permissions of the client that is requesting access. API authorization is typically used in
conjunction with API authentication, which is the process of verifying the identity of the client.

API authorization can be implemented in a variety of ways, depending on the specific requirements of the
API. Some common methods of implementing API authorization include:

Role-based access control: In role-based access control (RBAC), clients are assigned specific roles, and
access to API resources is granted or denied based on the client's role. For example, a client with the
"admin" role might be granted access to all API resources, while a client with the "user" role might only be
granted access to a subset of API resources.

Attribute-based access control: In attribute-based access control (ABAC), access to API resources is
granted or denied based on the attributes of the client and the API resource. For example, a client might
only be granted access to an API resource if they have a specific attribute, such as a valid API key or an
authorized IP address.

Permission-based access control: In permission-based access control, access to API resources is granted or
denied based on the permissions that have been granted to the client. For example, a client might be
granted read-only access to an API resource, while another client might be granted read and write access
to the same resource.

API authorization is an important aspect of API security and is used to ensure that clients are only granted
access to API resources that they are authorized to access.
Best Practices for Managing API (Contd.)

a) Use Throttling: App Throttling is a great practice to consider for redirecting overflow of traffic, backup APIs and
safeguarding it from DoS (Denial of Service) attacks.

b) Consider your API gateway as Enforcer: While setting up throttling rules, application of API keys or OAuth, the
API gateway must be considered as the enforcement point. It lets only right users get access to the data. It should
empower you to encrypt the message or edit confidential information, and thereby, analyse and manage how your
API is being used.

c) Allow overriding HTTP method: Since some proxies only support GET and POST methods, you need to let your
RESTful API override the HTTP method. For doing so, employ the custom HTTP Header X-HTTP-Method-Override.

d) Evaluate the APIs and infrastructure: In the current time, real-time analysis is possible to get, but what if the
API server is suspected to have memory leaks, draining CPU or other such issues? To consider such situations, you
can’t keep a developer at duty. However, you can perform this easily via using numerous tools available in the
market, like AWS cloudwatch.

e) Ensure security: You must ensure that your API technology is secure but not at the cost of user-friendliness. If
any user spends more than 5 minutes on authentication then it means that your API is far from being user-friendly.
You can use token-based authentication to make your API secure

f) Documentation: Last but not the least, it is profitable to create an extensive documentation for an API for
mobile apps that lets other mobile app developers easily understand the whole process and utilize the information
for offering better user experience. In other words, a good API documentation in the process of effective API
development will lessen the project implementation time, project cost and boost the API technology efficiency.
Key Concepts in API Development
•RESTful APIs are stateless and use HTTP/HTTPS.
•Use of JSON format for request and response.
•API Gateway for traffic control, authentication, rate limiting.
•OAuth 2.0 is used for secure API access.
•Versioning ensures backward compatibility.
•Types: REST, SOAP, GraphQL APIs.
•Common Methods: GET, POST, PUT, DELETE.
•Use Cases in Banking: UPI, AEPS, IMPS, Aadhaar verification.
Data Centre Operations
Introduction to Data Centre Operations
Definition
A data centre is a specialized facility designed to house computer systems and associated
components, including telecommunications and storage systems. In banking, data centres
serve as the backbone of all digital operations.

Why Data Centres Matter in Banking

➢Enable 24/7 banking operations and customer services
➢Ensure secure processing of financial transactions
➢Support regulatory compliance and data governance
➢Provide foundation for digital banking initiatives

Critical Note: In banking, data centre downtime can result in significant financial losses
and regulatory penalties. Reliability is paramount.
Banking Requirement: Most banks operate Tier III or Tier IV data centres to
meet regulatory requirements and customer expectations.
Key Data Centre Processes
Backup Operations Monitoring & Management
➢ Automated daily backups of all critical ➢ 24/7 monitoring of all systems and
banking data infrastructure
➢ Multiple backup copies stored in ➢ Real-time alerting for potential
different locations issues
➢ Regular backup integrity testing and ➢ Performance monitoring and
verification capacity planning

Disaster Recovery (DR) Business Continuity Planning (BCP)

➢ Comprehensive DR plans for various ➢ Detailed procedures for maintaining
failure scenarios operations during disruptions
➢ Secondary data centre ready for ➢ Coordination with business units and
immediate failover external partners
➢ Regular DR drills and testing procedures ➢ Regular BCP updates and staff
training
Key Concepts in Data Centre Operations
N+1 Redundancy
Ensures availability of backup systems. If you need 'N' components to operate, you have
'N+1' components available, providing one backup for every critical component.

High Availability Protocols

Banks typically implement Tier III/IV protocols ensuring 99.982% or higher uptime
through redundant systems and fault-tolerant designs.

Data Centre Infrastructure Management (DCIM)

Comprehensive monitoring systems providing real-time tracking of power consumption,
temperature, humidity, and equipment performance.

BCP and DR Drills

Regular testing exercises to ensure business continuity plans work effectively. Banks
must conduct quarterly DR drills and annual comprehensive BCP exercises.

RBI Data Localization Mandate

All payment system data must be stored in systems located within India. This
includes transaction details, customer information, and payment credentials.
Summary & Best Practices
Key Takeaways
➢ Data centres are mission-critical infrastructure requiring highest levels of reliability.
➢ Tier III/IV classifications essential for banking operations..
➢ Compliance with RBI guidelines and ISO standards is mandatory.
➢ Regular testing of backup, DR, and BCP procedures is crucial.
➢ Data localization requirements must be strictly followed.
Best Practices
➢ Implement comprehensive monitoring and alerting systems.
➢ Maintain detailed documentation of all procedures.
➢ Conduct regular staff training on emergency procedures.
➢ Establish clear escalation procedures for incidents.
➢ Maintain strong relationships with vendors and service providers.